USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

SIMPLIFY PCI COMPLIANCE

WITH NETWORK SEGMENTATION
FOR AIRLINES
Business Drivers
SPOTLIGHTS
The airline industry typically differs in operation from general retailers,
Industry because several third parties – including travel agents, airlines and
Aviation airports – may be involved in the process of a customer buying a
ticket and boarding an aircraft. These third parties, as well as service
Use Case and network providers who issue tickets, look up seat availability and
Simplify PCI compliance with network process payments, may have access to payment card data, which can be
­segmentation for airlines used for other services than payment. Across the industry, for example,
PCI DSS customers’ card numbers serve to validate their identities at both
staffed check-in desks and self-service kiosks, making the information
The Payment Card Industry Data Security highly sensitive.
­Standard is a proprietary information security
standard for organizations that handle branded A theft or breach of cardholder data can negatively impact the entire
credit cards from the major providers, including industry, causing customers to lose trust in the services and the airline
Visa, MasterCard, American Express, Discover merchants. Customers’ credit scores can be damaged, which can in turn
and JCB. damage their reputations. Customer-facing businesses and financial
institutions lose credibility and can be subject to numerous financial
liabilities. Payment Card Industry Data Security Standard compliance
is in the industry’s best interest not only because it secures sensitive
customer information or personal finances but also because it helps
organizations maintain safer networks.

Business Challenge
PCI compliance is mandatory for airlines, extending to all system com-
ponents included in or connected to the cardholder data environment.
For airlines, this extends from the point of acceptance to any customer
service application holding or using cardholder data. It is the card data
acquirer’s responsibility to impose compliance on its airline merchants.
The airline is therefore responsible for the security of each of its distribu-
tion channels, whether the system elements are internal or external.
Offsetting the value of PCI compliance, however, are some related chal-
lenges. These include the substantial effort and investment required to
achieve compliance in the first place, along with the unfortunate reality
that compliance does not necessarily translate to adequate defense
against advanced cyberattacks.

1. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 1
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

Substantial Effort Required

For all system components included in or connected to the cardholder data environment, organizations must comply with
more than 300 requirements. It is in every organization’s best interest, therefore, to take advantage of network segmentation
provisions stated in the PCI DSS to effectively isolate their CDE and thereby decrease the amount of infrastructure that is
considered in scope. Doing so decreases the cost and complexity of PCI compliance in several predictable ways, and can
deliver additional operational and security benefits. For example, when armed with an appropriate solution, organizations
can use network segmentation to:
• Reduce the number of system components that must be brought into compliance in the first place along with any
­derivative impact doing so might have (such as the need to re-architect portions of the network or redesign certain
applications and systems).
• Reduce the number of system components that must be maintained in compliance, both on a regular basis and
­whenever compliance requirements are updated.
• Reduce the number of system components and processes that must be periodically audited to demonstrate compliance.
• Reduce and simplify management of the policies, access control and threat prevention rules that apply to the CDE.
• Reduce troubleshooting and forensic analysis effort by narrowing the scope of related investigations.
• Greatly improve the organization’s ability to contain and limit the spread of threats.

Traditional Approaches
A flat network casts a wide scope of compliance. Organizations that do not isolate their payment devices, such as point-
of-sale devices, credit card-processing workstations and servers, typically face more challenges during periodic compliance
assessments than those that segment said devices. Any network segment that processes or transmits unencrypted credit
card information must meet all PCI DSS requirements. In a flat, unsegmented network, the entire network is in scope for
the PCI DSS.
VLANs were designed for traffic management, not security. Your Qualified Security Assessor, or QSA, will likely agree that
VLANs and ACLs do not provide the necessary security controls to meet PCI DSS requirements and are extremely difficult to
manage at enterprise scale. VLANs alone are not capable of enforcing the control of privileged information.
Alternative security options, such as legacy port-based firewalls, also fail in this regard because they are indiscriminate about
the traffic that is allowed through and do not provide the necessary visibility or control over the actions of a segment’s users.
For example, there is no way to determine which applications are being used, which data is being accessed, or if specific
users are allowed to access a particular segment in the first place.
It is not sufficient to merely meet PCI DSS requirements. The PCI DSS itself states that it provides “a baseline of technical
and operational requirements” for protecting cardholder data. The specified countermeasures represent only a minimum
standard of due care, and because of the now three-year period between revisions, they often lag behind significant changes
in the technology and threat landscapes.
One self-acknowledged example of this can be found in the requirement to “deploy anti-virus software on all systems
commonly affected by malicious software (particularly personal computers and servers)” in PCI DSS section 5.1. In this case,
the standard explicitly mentions the consideration of “additional anti-malware solutions … as a supplement to the anti-virus
software,” presumably in recognition of the poor track record such software has when it comes to stopping modern, poly-
morphic malware and zero-day exploits.
A second example comes from the requirement to “implement stateful inspection” technology as part of the solution to
“prohibit direct public access between the internet and any system component in the cardholder data environment” in
PCI DSS section 1.3.6. Commentary by Verizon® on this requirement says it all: “The DSS still specifies stateful-inspection
firewalls, first launched in 1994. As the threats to the CDE become more complex, these devices are less able to identify all
unauthorized traffic and often get overloaded with thousands of out-of-date rules. To address this, vendors are now offering
‘next generation’ firewalls that can validate the traffic at layers 2 to 7, potentially allowing far greater levels of granularity in
the rules.”2
Specific examples aside, the key point to realize here is that it’s typically necessary for security and compliance teams to go
above and beyond PCI DSS requirements to establish security architectures that more effectively address modern threats
and more closely align with their organizations’ risk tolerance.

2. http://www.verizonenterprise.com/pcireport/2015/

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 2
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

Palo Alto Networks Approach

Unlike traditional solutions, Palo Alto Networks® Next-Generation Se-
curity Platform natively classifies all traffic, regardless of port, protocol
or encryption. This complete visibility into network activity allows an
organization to substantially reduce its attack surface, block all known CLOUD-DELIVERED SECURITY SERVICES
threats with an integral threat prevention engine, and quickly discover
and protect against unknown threats using WildFire™ cloud-based
threat analysis service. With next-generation endpoint security
capable of stopping unknown threats and automated coordination
among the natively integrated platform components, the platform NEXT-GENERATION ADVANCED ENDPOINT CLOUD
delivers maximum protection for an organization’s entire computing FIREWALLS PROTECTION SECURITY

environment while greatly reducing the need for human intervention

Figure 1: Palo Alto Networks Next-Generation
and remediation.
Security Platform
Robust Network Segmentation
Palo Alto Networks Next-Generation Security Platform uniquely ensures isolation of an organization’s cardholder data environment
with a robust set of natively integrated security capabilities, including:
• Complete application-level (Layer 7 of the OSI Model) traffic control: At the heart of our platform, App-ID™ technology accu-
rately identifies and classifies all traffic by its corresponding application, regardless of ports and protocols, evasive tactics such
as port hopping, or encryption. In highly sensitive or specialized zones of the network, like the CDE, this provides the best pos-
sible control by allowing security administrators to deny all traffic except the few applications that are explicitly permitted.
• Least-privileged access control across the network: Along with App-ID, User-ID™ and Content-ID™ technologies enable organiza-
tions to tightly control access to the CDE based on a range of business-relevant attributes, including the specific application and
individual functions being used, the identities of individual users and groups, and the specific elements of data being accessed
(e.g., credit card or Social Security numbers). The result is a definitive implementation of least-privileged access control wherein
administrators can create straightforward security rules to allow only the absolute minimum, legitimate traffic in the zone while
automatically denying everything else.
• Advanced threat protection: A combination of antivirus/anti-malware, intrusion prevention and advanced threat prevention
­technologies (Content-ID and WildFire) filter all allowed traffic for known and unknown threats.
• Flexible data filtering: Administrators can allow necessary applications while still blocking unwanted file transfer functionality
and file types, and can control the transfer of sensitive data, such as credit card numbers or custom data patterns, in application
content or attachments.

WAN and Internet

r
s e

r
s e
er ld

er ld
rv ho

rv ho
Se ard

Se ard
e
ur
C

C
s ct
er ru
rv st
Se fra

e
ur
t
In

en

rs ce

s ct
se n
s m

er ru
U ina
er p

rv st
rv elo

Se fra
Se ev

In
s
on

D
ta r
ks se
ti
or U
W nd

t
en
E

s m
er p
or o

rv elo
w lt
ks
et A

Se ev
N alo

D
P
e
on
IZ
C
P

Non-Segmented Network Using ACLs

Segmented Network With Palo Alto Networks Isolates
• All servers and associated traffic may fall within the scope
­C ardholder Data
of PCI audit
• Access to the PCI zone is limited to finance users based on
User-ID (i.e., Active Directory® security groups) and App-ID
(i.e., limit internal and internet applications)

• Scope of PCI audit is reduced to cardholder segment and

finance users

Figure 2: Comparison of flat versus segmented network

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 3
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines
Meet and Exceed Multiple Requirements
Reducing the scope of compliance with effective network seg-
mentation is only one way Palo Alto Networks Next-Generation
Security Platform supports organizations in achieving PCI compli-
ance. It also addresses many individual requirements specified in
the DSS, as detailed in Appendix 1.
Business Benefits of Exceeding PCI Compliance Using the
Next-Generation Security Platform
Several examples have already been provided of ways in which the
Palo Alto Networks platform surpasses PCI DSS requirements to
deliver the greater protection today’s organizations need, including:
• Reduced scope of compliance by isolating PCI devices: The
next-generation firewall controls the flow of information
within the CDE zone based on the principle of least privilege
to block/deny all users, applications and content except that
which is absolutely necessary.
• Reduced exposure of networked systems to known/unknown attacks, malware and vulnerabilities: All components of the
­platform are natively integrated to ensure threats are quickly identified – and stopped – at all threat vectors into your network.
• Empower your security team with greater visibility: Native integration within the platform empowers your security team to quickly
identify the important data points that require attention.
Among other ways, our platform delivers next-generation protection
that exceeds the DSS’s baseline requirements through extensive
information-sharing and coordination among platform elements.
For example, new protections developed from WildFire’s real-time
threat intelligence are automatically distributed to customer
systems in as few as five minutes. The platform’s natively integrated
threat prevention capabilities create a closed-loop architecture
that delivers unparalleled threat response without the need for
time-consuming manual interventions by already overwhelmed
security teams.
Architectural Vision
As you plan your PCI segmentation strategy, it is important to
understand the types of devices that will be considered in or out of
scope for compliance. The following are examples of devices that
may be in your environment:
TYPICALLY IN-SCOPE FOR PCI:
Tablet/Mobile POS: Merchants who collect credit
card payments via wireless tablets or mobile devices
may consider such devices as in scope.
POS PC: PCs or registers used as points of sale may
be considered in scope.
POS Server: Servers that receive credit card data
from POS devices and either transmit or store such
data may be considered in scope.
Phone: If you collect credit card numbers over the
phone, phones may be considered in scope.
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case
Did you know? Traps advanced endpoint protection helps
you fulfill two PCI DSS requirements:
Requirement 5: Protect all systems against malware and
­regularly update anti-virus software or programs. Palo Alto
­Networks Traps™ advanced endpoint protection is an
innovative technology that prevents exploits and malware,
both known and unknown, and exceeds the original PCI
DSS requirement, resulting in much stronger security and
compliance posture.
Requirement 6: Develop and maintain secure systems and
­applications. Customers of Palo Alto Networks have
reported that their PCI QSA approved the use of Traps as
a ­compensating control for systems that cannot be patched
in a timely manner.
We Need Better Firewalls
“One of the criticisms that we made of DSS 3.0 in our 2014
report is that it still refers to stateful-inspection firewalls,
a technology that most security professionals consider
outdated. Malware and hacker attacks that can bypass
stateful-inspection access controls have been common for
nearly a decade. While other security standards have moved
on, PCI DSS has not. […] Their ability to monitor activity at
the application level, deal with the explosive growth in the
number of devices, and block increasingly sophisticated
threats make next-generation firewalls a must-have.”
– Verizon 2015 PCI Compliance Report
TYPICALLY OUT-OF-SCOPE FOR PCI:
Barcode Scanner: These devices typically do not
process credit card transactions and hence are
usually out of scope.
Laptop/Office PC: Mobile wireless laptops used
in departments that do not process credit card
numbers are usually considered out of scope.
Other Non-POS Server: Servers that do
not ­process credit card numbers are usually
­considered out of scope.
4
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

Reference Architecture
The PCI reference architecture below outlines recommended zones of isolation for merchants, regardless of the size of the organiza-
tion. Security zones are logical containers for physical interfaces, VLANs, IP address ranges or a combination thereof. The switch and
next-generation firewall icons in the diagram indicate the flexibility of using one, the other or a combination to enforce isolation all the
way to the Ethernet jack/access point.

IN SCOPE FOR PCI OUT OF SCOPE FOR PCI

POS POS Non-POS

Tablet/Mobile PC Server Barcode Office PC Server
Access Point Laptop
POS Scanner
Phone

ZONE: Wireless POS ZONE: Wireless Data

Switch
ZONE: POS ZONE: Data

ZONE: Voice
Next-Generation
Firewall

Router

Data Center/WAN

Figure 3: PCI reference architecture

Implementation Overview
Products required:
• Palo Alto Networks Next-Generation Firewall
• Threat Prevention subscription
• WildFire subscription

How you will do it:

Determine the deployment method(s) you will use to insert next-generation firewalls into your environment.
Palo Alto Networks Next-Generation Firewall offers Layer 1 (virtual wire), Layer 2 and Layer 3 deployment modes on a single hardware
appliance, along with networking features, such as static and dynamic routing capabilities, 802.1Q VLANs, trunked ports, and traffic
shaping. These capabilities allow network engineers to insert the Next-Generation Security Platform into any existing architectural
design without requiring any configuration changes to surrounding or adjacent network devices.
The platform can sit in-line in front of or behind existing security appliances. Additionally, it can be deployed to connect two or more
networks, bridge Layer 2 and Layer 3 networks, or provide full routing and connectivity of all networks and sub-networks across the
organization. Palo Alto Networks also offers VM-Series next-generation firewalls, a virtual form factor, for segmentation within a
virtualized server infrastructure.
Multiple management domains (see Figure 3) can be accommodated by taking advantage of isolated, virtual Zero Trust instances on a
physical appliance. Virtual systems allow you to segment the administration of all policies (security, NAT, quality of service, etc.) as well
as all reporting and visibility functions.

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 5
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

WAN and Internet

r
s e
er ld
rv ho
Se ard
C

e
ur
rs ce

s ct
se n

er ru
U ina

rv st
F

Se fra
In

t
en
s m
er p
or o

rv elo
w lt
ks
et A

Se ev
N alo

D
P
e
on
IZ
C
P

Figure 4: Segmented network with Palo Alto Networks isolates cardholder data

Next, define your PCI zones.

Security zones are logical containers for physical interfaces, VLANs, IP address ranges or a combination thereof. Next-generation firewall
security policies use these zones to clearly identify one or more source and destination interfaces on the platform. Each interface on the
firewall must be assigned to a security zone before it can process traffic. This allows organizations to create security zones to represent
different segments being connected to and controlled by the firewall. For example, a security administrator can allocate all cardholder or
patient data repositories in one network segment identified by a security zone (like the Cardholder Data Environment, or “CDE zone”).
Then the administrator can craft security policies that only permit certain users, groups of users, specific applications or other security
zones to access the CDE zone, thereby preventing unauthorized internal or external access to the data stored there.

Figure 5: Options available when you select “Create a Zone”

Figure 5 shows the options available when you select “Create a Zone.” You need to associate the zone with at least one interface, and
select the “Zone Protection Profile” and “Log Setting” options. If you want to restrict or block access to the zone by IP ranges, you can
complete the ACL options on the right side.
Once you’ve created your PCI zone, you need to define rules to allow/block access to it. Figure 5 shows an example of how easy it is for
administrators to define straightforward rules to control access to zones.
• The first rule, titled “PCI,” allows users in the “Users” zone who are in the “Finance” Active Directory security group to access the
Oracle® application in the “CC_Servers” zone.
• The second rule blocks any other users from accessing the “CC_Servers” zone and logs them.

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 6
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

Figure 6: Example rules to isolate and protect cardholder data in the CC_Servers zone

Figure 7: Creation of two rules to isolate and protect cardholder data in a PCI zone

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 7
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

Actual Customer Deployment:

Deploying a Next-Generation Firewall in Layer 3 Mode to Reduce the Scope of PCI Compliance

Internal Zone
Non-POS PA-7050
Devices in L3 mode
VL9
0

VL90

PCI Zone
POS Devices VL170
Internet
Distribution Core Switches Edge PA-5050 Public Routers
70 Switches in L3 mode
1
VL

PA-7050
in L3 mode

ZONE VLAN(s) Description

Internal Zone VL90 Includes VL90, which contains all non-POS devices
PCI Zone VL170 Contains VL170, which contains all POS devices

Figure 8: Internal and PCI zones on redundant PA-7050 appliances

Figure 8 shows how an airline customer employs next-generation firewalls to isolate its point-of-sale devices from the rest of the
network, reducing the scope of compliance to include only the devices within the PCI zone. The customer uses several other zones to
isolate various devices on the network, but for simplicity, Figure 8 shows only the internal and PCI zones.
The customer’s architecture incorporates two redundant PA-7050 appliances, in Layer 3 mode, hanging off a Cisco® distribution switch.
A PCI zone is configured in the next-generation firewall to include VL170, which contains all the POS devices. The internal zone is
configured in the next-generation firewall to include VL90, which is the primary internal network where non-POS devices connect.
Traffic between the internal and PCI zones is controlled by a PCI security policy defined in PAN-OS®.

Actual Customer Deployment:

Using GlobalProtect, VM-Series Next-Generation Firewall and AWS to Reduce the Scope of PCI Compliance

Fueling Stations Amazon Web Services Virtual Private Cloud Customer Data Center
Customer’s clients with self-managed IT On Premise

GP Policies defined in NGFW to allow

GP diagnostics to pass but block
cardholder data from entering
their on-premise data center
Location 1 OSP
GlobalProtect
Windows PC
Gateway in AWS
GP
GP East Region

Cardholder Data Blocked

GlobalProtect
Location 2 OSP
GP GP and VM-Series
NGFW in AWS Data collection servers
Windows PC
Central Gateway within customer data center
used to analyze diagnostic
info from OSPs
GlobalProtect
Location 3 OSP Gateway in AWS
Windows PC West Region

Figure 9: Cardholder data isolated from data center with GlobalProtect and VM-Series

The above diagram shows how a provider of fuel management system monitoring services deployed GlobalProtect™ network security
for endpoints and VM-Series virtualized next-generation firewalls on Amazon® Web Services (AWS®) to prevent cardholder data from
entering their own network and, hence, removed their network from the scope of PCI.

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 8
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

The customer monitors underground tanks and lines at thousands of retail fuel stations across the U.S. Using advanced statistical anal-
ysis and system diagnostics, the company ensures the accuracy of all consumption readings and proactively identifies tank systems at
risk of leaks, illegal siphoning or other potentially hazardous situations. The customer installs remote data collection devices – minimally
configured network appliances called “on-site processors” – on each fuel station’s local network. These devices collect data from every
dispenser, tank and line at the station, then transmit it to the customer’s data center for analysis and reporting.
The customer architecture incorporates virtual GlobalProtect gateways in AWS for geographical optimization (one for the east region,
one for the west) and a VM-Series next-generation firewall to block threats and cardholder data from entering the network. By prevent-
ing cardholder data from entering its network, the customer excludes its data center from the scope of PCI compliance.

Advice and Next Steps

No single vendor or product can provide complete compliance with the Payment Card Industry Data Security Standard. What merchants
require instead is a thorough set of policies, processes and practices – including network segmentation – supported by an essential set
of technological countermeasures to enforce them. Regardless of how you choose to implement Palo Alto Networks Next-Generation
Security Platform in your environment, you can be sure that the flexibility of integration options will facilitate a smooth implementation
of controls to help you meet and exceed PCI DSS requirements.
Now that you understand what’s involved as you prepare to deploy Palo Alto Networks Next-Generation Firewall to enhance your PCI
compliance, go ahead and get started:
PAN-OS® Administrator’s Guide: https://www.paloaltonetworks.com/documentation

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 9
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

Appendix I

PCI Security Requirements Supported by the Palo Alto Networks Next-Generation Security Platform
The Palo Alto Networks platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized in the
­following tables. All references made in this paper to specific requirements are based on PCI DSS version 3.1.

Compliance Capabilities

NEXT-GEN
PCI DSS REQUIREMENT FIREWALL WILDFIRE TRAPS
Requirement 1:
Install and maintain a firewall configuration to protect cardholder data

Requirement 2:
Do not use vendor-­supplied defaults for system passwords and other security
parameters
Requirement 3:
Protect stored cardholder data

Requirement 4:
Encrypt transmission of cardholder data across open, public networks

Requirement 5:
Protect all systems against malware and regularly update anti‐virus software or
programs

Requirement 6:
Develop and maintain secure systems and applications

Requirement 7:
Restrict access to cardholder data by business need to know

Requirement 8:
Identify and authenticate access to system components
Requirement 9:
Restrict physical access to cardholder data
Requirement 10:
Track and monitor all access to network resources and cardholder data

Requirement 11:
Regularly test security systems and processes

Requirement 12:
Maintain a security policy that addresses information security for
all personnel

Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case 10
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines
Appendix II
Detailed Descriptions
The Palo Alto Networks platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized in the
following table. All references made in this paper to specific requirements are based on PCI DSS 3.1.
PCI DSS REQUIREMENT
Requirement 1:
Install and maintain a firewall
configuration to protect
cardholder data
Requirement 2:
Do not use vendor-supplied
defaults for system passwords and
other security parameters
Requirement 3:
Protect stored cardholder data
Requirement 4:
Encrypt transmission of cardholder
data across open, public networks
Requirement 5:
Protect all systems against
malware and regularly update
anti-virus software or programs
Requirement 6:
Develop and maintain secure
systems and applications
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation for Airlines | Use Case
SUPPORTED SUB-
REQUIREMENTS DESCRIPTION OF CAPABILITIES
1.2, 1.2.1, 1.2.3, 1.3, The Palo Alto Networks portfolio of hardware and virtual next-generation
1.3.1, 1.3.2, firewalls enables definitive least-privileged access control (i.e., deny all
1.3.3, 1.3.4, 1.3.5, applications, users and content except for that which is necessary) for
1.3.6, 1.3.7, all networks involving cardholder data. Palo Alto Networks supports all
1.3.8 sub-requirements pertaining to DMZ implementations intended to
prohibit direct public access between the internet and any CDE system.
2.3 The intent behind Requirement 2 is to implement sufficient preventive
controls to reduce the attack surface. These controls include changing
vendor passwords; enabling only necessary services, protocols and
daemons; and removing unnecessary functionality, such as scripts, drivers,
features, subsystems, file systems and web servers. For a relatively
complex cardholder data environment, there are potentially thousands of
instances in which unnecessary services, unnecessary functionality and
insecure services could operate.
Traps provides an automated preventive control capability to reduce risks
associated with threat vectors or attack points. The unique approach
employed by Traps ensures that, even if unnecessary services are running,
vulnerabilities in those services cannot be exploited. Traps will block the
exploit technique and prevent any malicious activities from occurring.
Insightful forensics evidence is collected to support incident response
processes or further investigative activities. With Traps operating in the
CDE, organizations can reduce their risk
N/A This requirement focuses on reducing the amount of cardholder data
stored and ensuring that stored data is appropriately masked and
encrypted. Encryption alone does not protect against malware that
scrapes the unencrypted cardholder data from memory. Traps prevents
exploits and malware from launching malicious code that would try to
compromise encryptions keys or cardholder data. If key management
processes do break down, Traps provides an effective compensating
control for PCI DSS Section 3.6.
4.1, 4.2 Standards-based IPsec VPNs are supported for secure site-to-site
connectivity, while GlobalProtect delivers secure remote access for
individual users via either an TSL or IPsec-protected connection. With its
unique application, user and content identification technologies, the
Next-Generation Security Platform is also able to thoroughly and reliably
control the use of potentially risky end-user messaging technologies (e.g.,
email, instant messaging and chat) down to the level of individual functions
(e.g., allow messages but disallow attachments and file transfers).
N/A The advanced endpoint protection capabilities of the Next-Generation
Security Platform provide a much-needed complement to legacy antivirus
solutions, which are largely incapable of providing protection against
unknown malware, zero-day exploits and advanced persistent threats.
6.6 As a fully application-aware offering, Palo Alto Networks Next-Generation
Security Platform can prevent a range of application-layer attacks that
have, for example, taken advantage of improperly coded or configured
web apps.
11
USE CASE: Simplify PCI Compliance With Network Segmentation for Airlines

SUPPORTED SUB-
PCI DSS REQUIREMENT REQUIREMENTS DESCRIPTION OF CAPABILITIES

Requirement 7:
Restrict access to cardholder data
by business need to know
7.2, 7.2.1, 7.2.3 Granular, policy-based control over applications, users and content,
regardless of the user’s device or location, enables organizations to
implement definitive, least-privileged access control that truly limits access
to cardholder data based on business “need to know,” with “deny all” for
everything else. Tight integration with Active Directory and other identity
stores, plus support for role-based access control, enables enforcement of
privileges assigned to individuals based on job classification and function.

Requirement 8: 8.1, 8.1.1, 8.1.3, Native capabilities and tight integration with Active Directory and other
Identify and authenticate access to 8.1.4, 8.1.6, identity stores support a wide range of authentication policies, including
system components 8.1.7, 8.1.8, 8.2, use of unique user IDs, immediate revocation for terminated users, culling
8.2.1, 8.2.3, of inactive accounts, lockout after a specified number of failed login
8.2.4, 8.2.5, 8.3, 8.5, attempts, lockout duration, idle session timeouts, and password reset and
8.6 minimum strength requirements. Support is also provided for several forms
of multi-factor authentication, including tokens and smart cards.

Requirement 9: N/A N/A

Restrict physical access to
cardholder data

Requirement 10:
Track and monitor all access
to network resources and
cardholder data
10.1, 10.2, 10.2.1, The Next-Generation Security Platform maintains extensive logs/
10.2.2, 10.2.3, audit trails for WildFire, configurations, system changes, alarms, traffic
10.2.4, 10.2.5, 10.2.6, flows, threats, URL filtering, data filtering, and Host Information Profile
10.2.7, 10.3, matches. It also supports daily and periodic review of log data with
10.3.1, 10.3.2, 10.3.3, native, customizable reporting capabilities and the ability to write log
10.3.4, data to a syslog server for archival and analysis by third-party solutions
10.3.5, 10.3.6, 10.4, (including popular security event and information management
10.6, 10.6.1, systems, such as Splunk).
10.6.2, 10.6.3,

Requirement 11: 11.4 The Next-Generation Security Platform fully inspects all allowed
Regularly test security systems communication sessions for threat identification and prevention. A
and processes single, unified threat engine delivers intrusion prevention, stream-
based antivirus prevention, and blocking of unapproved file types
and data. The cloud-based WildFire service extends these capabilities
further by identifying and working in conjunction with on-premise
components to prevent unknown and targeted malware and exploits.
The net result is comprehensive protection from all types of threats in a
single pass of traffic.

3000 Tannery Way © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of
Santa Clara, CA 95054 Palo Alto Networks. A list of our trademarks can be found at https://www.­
Main: +1.408.753.4000 paloaltonetworks.com/company/trademarks.html. All other marks mentioned
Sales: +1.866.320.4788 herein may be trademarks of their respective companies.simplify-pci-compli-
Support: +1.866.898.9087 ance-with-network-segmentation-for-airlines-uc-091817

www.paloaltonetworks.com